Professional Documents
Culture Documents
Lab Topology
The topology diagram below represents the NetMap in the Simulator. For this lab, your network design
includes two routers, HQ and Regional, which are connected by a serial link. Workstation, a PC, is
connected to a Fast Ethernet port on HQ, and a Terminal Access Controller Access Control System Plus
(TACACS+) server is connected to a Fast Ethernet port on Regional. Upon the initial loading of the lab, all
devices will be configured with the IP addresses and routing protocols needed for connectivity.
S0 S0
10.1.1.1 10.1.1.2
HQ Regional
DCE 10.1.1.0/30
Fa0/0 Fa0/0
192.168.1.1 192.168.2.1
192.168.1.0/24 192.168.2.0/24
E0 E0
192.168.1.2 192.168.2.254
Command Summary
Command Description
aaa authentication enable default enables AAA authentication to determine whether a user
method1 [method2…] can access privileged EXEC mode
aaa authentication login {default | list- enables AAA login
name} method1 [method2 …]
aaa authentication login default enable configures login authentication to use the enable
passwords
aaa authorization exec {default | list- configures exec authorization to use methods from the list
name} method1 [method2...]
Lab Tasks
Task 1: Configure Local Database Authentication by Using AAA
Unless otherwise instructed, perform the following steps on Regional1
1. Turn on AAA services.
2. In the local database, create a user with the user name regionaluser and password regionalpass.
4. Configure login authentication to use the enable password as the default method.
6. Access the router through the console port. Which password should you use here, and why? ____
______________________________________________________________________________
7. Create a login authentication method named local_authent, and set it to authenticate users against
the local database.
Task 2: Configure AAA Exec Authorization by Using the Local User Database
1. In the local database on Regional, create a user with the user name regionaladmin and password
adminpass. Assign privilege level 15 to this user.
3. Which privilege level have you been placed at, and why? _________________________________
______________________________________________________________________________
8. Which privilege level have you been placed at, and why? _________________________________
______________________________________________________________________________
Credential Value
TACACS+ server address 192.168.2.254
TACACS+ key boson
ACS user name cisco
ACS user password ciscopass
ACS user-specific enable password ciscoenable
2. On HQ, configure ACS Server’s IP address so the router can communicate and authenticate with the
server. TACACS+ communication should be authenticated by using the key boson and IP address
192.168.2.254.
4. Create an exec authorization method named aaa_exec, and configure it to authorize exec sessions
against ACS Server. You should configure the local user database to be the backup authorization
method.
6. Configure enable authentication to use ACS Server for primary authentication and to use the local
enable password as a backup.
7. From Workstation, telnet to HQ (192.168.1.1). Log in by using the credentials listed in the table at
the beginning of the task.
8. What credentials did you use to log in to HQ, and why? __________________________________
______________________________________________________________________________
10. From Workstation, enter privileged EXEC mode on HQ. Which password did you use to enter
privileged EXEC mode, and why? ___________________________________________________
______________________________________________________________________________
Once you have completed this lab, be sure to check your work by using the grading function.
You can do so by clicking the Grade Lab icon ( ) in the toolbar or by pressing Ctrl+G.
Regional(config)#aaa new-model
2. On Regional, you should issue the following command to create the appropriate user in the local
database:
3. On Regional, you should issue the following command to set the enable password:
4. On Regional, you should issue the following command to configure login authentication to use the
enable password as the default method:
5. On Regional, you should issue the following commands to log out of the router:
Regional(config)#end
Regional#exit
6. On Regional, you should use the enable password to log in to the router.
Password:training
Regional>enable
Password:training
Regional#
When the default login authentication method is configured to use the enable password, the router
uses the enable password or the enable secret password as the login credential.
7. On Regional, you should issue the following command to create the appropriate login authentication
method and set it to authenticate users against the local database:
8. On Regional, you should issue the following commands to apply local_authent to the vty lines:
Regional(config)#line vty 0 4
Regional(config-line)#login authentication local_authent
C:>telnet 10.1.1.2
Username:regionaluser
Password:regionalpass
Regional>
10. You should issue the following command to disconnect the Telnet session:
Regional>exit
[Connection to 10.1.1.2 closed by foreign host]
Task 2: Configure AAA Exec Authorization by Using the Local User Database
1. On Regional, use the enable password to log back in to the console. You should then issue the
following commands to create the appropriate user in the local user database and assign the correct
privilege level to the user:
Password:training
Regional>enable
Password:training
Regional#configure terminal
Regional(config)#username regionaladmin privilege 15 password adminpass
2. From Workstation, issue the following command to telnet to Regional; use regionaladmin as the
user name and adminpass as the password:
C:>telnet 10.1.1.2
Username:regionaladmin
Password:adminpass
Regional>
3. You have been placed at privilege level 1, which is user EXEC mode. Although you have
authenticated as regionaladmin, AAA is not configured to check the authorization level on the vty
lines. User EXEC mode is denoted by the following prompt:
Regional>
4. You should issue the following command to disconnect the Telnet session:
Regional>exit
[Connection to 10.1.1.2 closed by foreign host]
Password:training
Regional>enable
Password:training
Regional#configure terminal
Regional(config)#aaa authorization exec local_author local
6. On Regional, you should issue the following commands to apply local_author to the vty lines:
Regional(config)#line vty 0 4
Regional(config-line)#authorization exec local_author
7. From Workstation, issue the following command to telnet to Regional; use regionaladmin as the
user name and adminpass as the password:
C:>telnet 10.1.1.2
Username:regionaladmin
Password:adminpass
Regional#
8. You have been placed at privilege level 15, which is privileged EXEC mode. After the local_author
method is applied to the vty lines, AAA will use the local database to check the authorization level as
well as authenticate the user. Privileged EXEC mode is denoted by the following prompt:
Regional#
9. You should issue the following command to disconnect the Telnet session:
Regional#exit
[Connection to 10.1.1.2 closed by foreign host]
Username:hqadmin
Password:hqpass
HQ>enable
HQ#configure terminal
2. On HQ, you should issue the following commands to configure the IP address of ACS Server and to
configure TACACS+ communications to authenticate by using the key boson:
4. On HQ, you should issue the following command to create an exec authorization method that
authorizes exec sessions against ACS Server first and uses the local user database as a backup:
5. On HQ, you should issue the following commands to apply the aaa_login and aaa_exec methods to
the vty lines:
HQ(config)#line vty 0 4
HQ(config-line)#login authentication aaa_login
HQ(config-line)#authorization exec aaa_exec
6. On HQ, you should issue the following command to configure enable authentication to use ACS
Server first and to use the local enable password as a backup:
7. From Workstation, issue the following command to telnet to HQ. Log in with the user name cisco
and password ciscopass. The vty lines are configured to use the aaa_login and aaa_exec
methods to authenticate and authorize users, respectively. Both methods obtain credentials primarily
by communicating with ACS Server.
C:>telnet 192.168.1.1
Username:cisco
Password:ciscopass
HQ>
8. You had to use a user name of cisco and a password of ciscopass to log in to HQ because these
are the credentials configured on the ACS server.
9. If the ACS server failed, you would use the backup method configured in aaa_login. The backup in
this case is the local user database. You would use the user name hqadmin and password hqpass
to log in to HQ from Workstation.Below is an example of the login steps using the backup method;
you do not need to issue these commands in this lab.
C:>telnet 192.168.1.1
Username:hqadmin
Password:hqpass
HQ>
HQ>enable
Password:ciscoenable
11. You should issue the following command to exit the Telnet session:
HQ#exit
[Connection to 192.168.1.1 closed by foreign host]
13. To log back in to the HQ router, you should issue the following commands:
Username:hqadmin
Password:hqpass
HQ>enable
Username:cisco
Password:ciscoenable
HQ#
Copyright © 1996–2017 Boson Software, LLC. All rights reserved. NetSim software and documentation are protected by copyright law.